"NYU has
integrated PDS with Sun's OpenSSO Identity Management application. The
PDS/OpenSSO integration uses PDS as the NYU Libraries' single sign-on
system and leverages NYU's OpenSSO system to provide seamless
interaction between library applications and university services. The
integration merges patron information from OpenSSO (e.g. name, email,
e-resources access) with patron information from Aleph (e.g. borrower
status and type) to ensure access to the multitude of library services."

"The NYU
Libraries operate in a consortial environment in which not all users are
in OpenSSO and not all OpenSSO users are in Aleph. PDS is hosted in an
active/passive capacity on our Primo front-end servers. Due to the
nature of PDS and Aleph, patrons are required to have an Aleph account
in order to login to the library's SSO environment. The exception to
this rule is EZProxy."

"Author: Scot Dalton

Additional author(s):

Institution: New York University

Year: 2009

License: BSD style

Short
description: Use, modification and distribution of the code are
permitted provided the copyright notice, list of conditions and
disclaimer appear in all related material.

Link to terms: [Detailed license terms]"

(2) Vulnerability Details:

NYU Opensso Integration web application has a computer cyber security bug problem. Hacker can exploit it by XSS attacks. This
may allow a remote attacker to create a specially crafted request that
would execute arbitrary script code in a user's browser session within
the trust relationship between their browser and the server.

Other similar
products 0day vulnerabilities have been found by some other bug hunter
researchers before. NYU has patched some of them. Web Security Watch is
an aggregator of security reports coming from various sources. It aims
to provide a single point of tracking for all publicly disclosed
security issues that matter. "Its unique tagging system enables you to
see a relevant set of tags associated with each security alert for a
quick overview of the affected products. What's more, you can now
subscribe to an RSS feed containing the specific tags that you are
interested in - you will then only receive alerts related to those
tags." It has published suggestions, advisories, solutions details
related to website vulnerabilities.